Python Package Masquerade: How a Fake SymPy Library Unleashed Crypto Miners on Linux
Subtitle: Rogue PyPI upload tricks developers, weaponizes math code to mine cryptocurrency in secret.
It started with a simple install command. For over a thousand developers, downloading what looked like a harmless update to a beloved math library may have quietly turned their Linux machines into digital gold mines-just not for them.
Fast Facts
- A malicious Python package called sympy-dev posed as the popular SymPy library on PyPI.
- Over 1,100 downloads since January 17, 2026, with the package still publicly available at the time of discovery.
- The package deployed an XMRig cryptocurrency miner, triggered by specific mathematical routines.
- Payloads were run entirely in memory to avoid leaving traces on disk, leveraging Linux’s
memfd_createfeature. - The attack infrastructure directs mining traffic to endpoints controlled by the threat actors.
Inside the Heist: How Developers Got Duped
The Python Package Index (PyPI) has long been the lifeblood of the open-source development world. But in January 2026, it became the stage for a sophisticated impersonation: a package named sympy-dev appeared, copying the trusted SymPy project’s description word-for-word. The ruse? To lure developers into installing a “development version” of the symbolic mathematics library. The reality was much darker.
Security researcher Kirill Boychenko and the team at Socket uncovered that sympy-dev was more than just a copycat. Buried within its code were subtle modifications: certain mathematical functions, when called, would spring a trap. These backdoored routines quietly reached out to a remote server, downloaded a configuration file and a Linux ELF binary, and executed them directly in memory using Linux’s memfd_create-a technique designed to leave no trace on the disk and evade detection.
The payload? XMRig, a notorious open-source cryptocurrency miner. The configuration ensured only CPU mining was enabled (disabling GPU mining for stealth), and all mined currency was funneled through encrypted connections to servers under the attackers’ control. The campaign’s design meant the miner would only activate under specific circumstances, making detection by security tools even harder.
While the primary goal appeared to be cryptojacking-secretly mining Monero for the attackers-the Python implant’s architecture allowed it to fetch and run any code, posing a broader threat if repurposed. The incident echoes techniques seen in previous campaigns by groups like FritzFrog and Mimo, where memory-only execution and stealthy communications are the weapons of choice.
What This Means for the Open-Source Ecosystem
The sympy-dev incident is a stark reminder: even trusted ecosystems like PyPI are not immune to manipulation. As attackers get more creative, the responsibility to verify packages and scrutinize unexpected “development” versions falls increasingly on developers and security teams. With supply chain attacks on the rise, the line between convenience and compromise has never been thinner.
WIKICROOK
- PyPI: PyPI is the main online repository for Python software packages, allowing developers to share, download, and manage Python code easily.
- SymPy: SymPy is a Python library for symbolic mathematics, useful for algebra, calculus, and cryptography-related computations in cybersecurity research.
- XMRig: XMRig is an open-source program for mining Monero cryptocurrency, often misused by cybercriminals to secretly mine on victims' devices.
- ELF Binary: ELF Binary is a standard file format for executables and libraries on Unix-like systems, crucial in malware analysis and digital forensics.
- memfd_create: memfd_create is a Linux system call that creates anonymous, memory-backed files, often exploited by attackers for stealthy fileless malware execution.




